IntenseWebs/pgadmin4
3
0
Fork 0
mirror of https://github.com/pgadmin-org/pgadmin4.git synced 2025-02-25 18:55:31 -06:00
Code Issues Packages Projects Releases Wiki Activity

Added support for LDAP authentication with different DN by setting the dedicated user for the LDAP connection. Fixes #5484

Browse Source
This commit is contained in:
Khushboo Vashi 2020-07-06 19:35:55 +05:30 committed by Akshay Joshi
parent a6ce78a8c0
commit 58b4c45d0c
5 changed files with 79 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/en_US/release_notes_4_24.rst
View File

@ -9,6 +9,7 @@ This release contains a number of bug fixes and new features since the release o
New features New features
************ ************
| `Issue #5484 <https://redmine.postgresql.org/issues/5484>`_ - Added support for LDAP authentication with different DN by setting the dedicated user for the LDAP connection.
| `Issue #5583 <https://redmine.postgresql.org/issues/5583>`_ - Added support for schema level restriction. | `Issue #5583 <https://redmine.postgresql.org/issues/5583>`_ - Added support for schema level restriction.
| `Issue #5601 <https://redmine.postgresql.org/issues/5601>`_ - Added RLS Policy support in Schema Diff. | `Issue #5601 <https://redmine.postgresql.org/issues/5601>`_ - Added RLS Policy support in Schema Diff.

10
web/config.py
View File

@ -527,6 +527,16 @@ LDAP_BASE_DN = '<Base-DN>'
# whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED) # whilst in AD, 'sAMAccountName' might be appropriate. (REQUIRED)
LDAP_USERNAME_ATTRIBUTE = '<User-id>' LDAP_USERNAME_ATTRIBUTE = '<User-id>'
# LDAP Bind User DN Example: cn=username,dc=example,dc=com (OPTIONAL)
# Set this parameter to allow the connection to bind using a dedicated user.
# After the connection is made, the pgadmin login user will be further
# authenticated by the username and password provided
# at the login screen. (OPTIONAL)
LDAP_BIND_USER = None
# LDAP Bind User Password (OPTIONAL)
LDAP_BIND_PASSWORD = None
# Search ldap for further authentication # Search ldap for further authentication
LDAP_SEARCH_BASE_DN = '<Search-Base-DN>' LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'

53
web/pgadmin/authenticate/ldap.py
View File

@ -36,16 +36,51 @@ class LDAPAuthentication(BaseAuthentication):
def authenticate(self, form): def authenticate(self, form):
self.username = form.data['email'] self.username = form.data['email']
self.password = form.data['password'] self.password = form.data['password']
user_email = None
dedicated_user = True
# Check the dedicated ldap user
self.bind_user = getattr(config, 'LDAP_BIND_USER', None)
self.bind_pass = getattr(config, 'LDAP_BIND_PASSWORD', None)
if self.bind_user and not self.bind_pass:
return False, "LDAP configuration error: Set the bind password."
# if no dedicated ldap user is configured then use the login
# username and password
if not self.bind_user or not self.bind_pass:
user_dn = "{0}={1},{2}".format(config.LDAP_USERNAME_ATTRIBUTE,
self.username,
config.LDAP_BASE_DN
)
self.bind_user = user_dn
self.bind_pass = self.password
dedicated_user = False
# Connect ldap server
status, msg = self.connect() status, msg = self.connect()
if not status: if not status:
return status, msg return status, msg
status, user_email = self.search_ldap_user() status, ldap_user = self.search_ldap_user()
if not status: if not status:
return status, user_email return status, ldap_user
# If dedicated user is configured
if dedicated_user:
# Get the user DN from the user ldap entry
self.bind_user = ldap_user.entry_dn
self.bind_pass = self.password
status, msg = self.connect()
if not status:
return status, msg
if 'mail' in ldap_user:
user_email = ldap_user['mail'].value
return self.__auto_create_user(user_email) return self.__auto_create_user(user_email)
@ -101,13 +136,10 @@ class LDAPAuthentication(BaseAuthentication):
# Create the connection # Create the connection
try: try:
user_dn = "{0}={1},{2}".format(config.LDAP_USERNAME_ATTRIBUTE,
self.username,
config.LDAP_BASE_DN
)
self.conn = Connection(server, self.conn = Connection(server,
user=user_dn, user=self.bind_user,
password=self.password, password=self.bind_pass,
auto_bind=True auto_bind=True
) )
@ -184,11 +216,8 @@ class LDAPAuthentication(BaseAuthentication):
return False, ERROR_SEARCHING_LDAP_DIRECTORY.format(e.args[0]) return False, ERROR_SEARCHING_LDAP_DIRECTORY.format(e.args[0])
for entry in self.conn.entries: for entry in self.conn.entries:
user_email = None
if config.LDAP_USERNAME_ATTRIBUTE in entry and self.username == \ if config.LDAP_USERNAME_ATTRIBUTE in entry and self.username == \
entry[config.LDAP_USERNAME_ATTRIBUTE].value: entry[config.LDAP_USERNAME_ATTRIBUTE].value:
if 'mail' in entry: return True, entry
user_email = entry['mail'].value
return True, user_email
return False, ERROR_SEARCHING_LDAP_DIRECTORY.format( return False, ERROR_SEARCHING_LDAP_DIRECTORY.format(
"Could not find the specified user.") "Could not find the specified user.")

7
web/pgadmin/browser/tests/test_ldap_login.py
View File

@ -29,6 +29,9 @@ class LDAPLoginTestCase(BaseTestGenerator):
('LDAP With TLS Authentication', dict( ('LDAP With TLS Authentication', dict(
config_key_param='ldap_with_tls', config_key_param='ldap_with_tls',
is_gravtar_image_check=False)), is_gravtar_image_check=False)),
('LDAP With Dedicated User Authentication', dict(
config_key_param='ldap_with_dedicated_user',
is_gravtar_image_check=False)),
] ]
@classmethod @classmethod
@ -59,6 +62,10 @@ class LDAPLoginTestCase(BaseTestGenerator):
app_config.LDAP_CA_CERT_FILE = ldap_config['ca_cert_file'] app_config.LDAP_CA_CERT_FILE = ldap_config['ca_cert_file']
app_config.LDAP_CERT_FILE = ldap_config['cert_file'] app_config.LDAP_CERT_FILE = ldap_config['cert_file']
app_config.LDAP_KEY_FILE = ldap_config['key_file'] app_config.LDAP_KEY_FILE = ldap_config['key_file']
if ldap_config['bind_user'] != "" and\
ldap_config['bind_password'] != "":
app_config.LDAP_BIND_USER = ldap_config['bind_user']
app_config.LDAP_BIND_PASSWORD = ldap_config['bind_password']
else: else:
self.skipTest( self.skipTest(
"LDAP config not set." "LDAP config not set."

20
web/regression/test_config.json.in
View File

@ -20,6 +20,8 @@
"ldap": { "ldap": {
"name": "Ldap scenario name", "name": "Ldap scenario name",
"uri": "ldap://IP-ADDRESS/HOSTNAME:389", "uri": "ldap://IP-ADDRESS/HOSTNAME:389",
"bind_user": "",
"bind_password": "",
"base_dn": "BASE-DN", "base_dn": "BASE-DN",
"search_base_dn": "SEARCH-BASE-DN", "search_base_dn": "SEARCH-BASE-DN",
"username_atr": "UID", "username_atr": "UID",
@ -32,6 +34,8 @@
"ldap_with_ssl": { "ldap_with_ssl": {
"name": "Ldap scenario name", "name": "Ldap scenario name",
"uri": "ldaps://IP-ADDRESS/HOSTNAME:636", "uri": "ldaps://IP-ADDRESS/HOSTNAME:636",
"bind_user": "",
"bind_password": "",
"base_dn": "BASE-DN", "base_dn": "BASE-DN",
"search_base_dn": "SEARCH-BASE-DN", "search_base_dn": "SEARCH-BASE-DN",
"username_atr": "UID", "username_atr": "UID",
@ -44,6 +48,22 @@
"ldap_with_tls": { "ldap_with_tls": {
"name": "Ldap scenario name", "name": "Ldap scenario name",
"uri": "ldap://IP-ADDRESS/HOSTNAME:389", "uri": "ldap://IP-ADDRESS/HOSTNAME:389",
"bind_user": "",
"bind_password": "",
"base_dn": "BASE-DN",
"search_base_dn": "SEARCH-BASE-DN",
"username_atr": "UID",
"search_filter": "(objectclass=*)",
"use_starttls": true,
"ca_cert_file": "",
"cert_file": "",
"key_file": ""
},
"ldap_with_dedicated_user": {
"name": "Ldap scenario name",
"uri": "ldap://IP-ADDRESS/HOSTNAME:389",
"bind_user": "",
"bind_password": "",
"base_dn": "BASE-DN", "base_dn": "BASE-DN",
"search_base_dn": "SEARCH-BASE-DN", "search_base_dn": "SEARCH-BASE-DN",
"username_atr": "UID", "username_atr": "UID",